Android spyware released in breach

Several days ago it was reported that a surveillance company “Hacking Team” (HT) was hacked and in the breach, 400Gb of content was released publicly. The content contained not only sensitive information such as contracts, internal emails, and other private details, but also a collection of spyware utilities, toolkits, and exploits affecting several platforms. The range of platforms includes Windows, Linux, and OS X as well as mobile platforms iOS, Windows Phone 8, Blackberry, and Android.

We are treating this public release and exposure of the collection that includes Android spyware with high priority for our mobile customers.

In response to the impact on Android, 0xID Labs created an identification and removal tool (0xID HT Removal Tool) for our pilot customers. By request, we are also making it available to everyone. You can download it from http://www.0xid.com/htrm/HTRemovalTool.apk or this alternate location http://cnappscan.0xid.com/htrm/HTRemovalTool.apk For users in China who reported having access issue with the two previous links, pls use this Baidu download link: http://pan.baidu.com/s/1o622RuM
(SHA1: c3f154b9da0602cd1d514c0ac9e3f1d53f688098).

In our investigation, most of the hacking tools are exploits that take advantage of certain vulnerabilities of either the OS or some applications for privilege escalation and arbitrary code execution. Out of these form factors, the attack surface highlights two 0-day attacks: Windows Font, and Adobe Flash CVE-2015-5119 (Update: Adobe released a patch for CVE-2015-5119, here).

According to VirusTotal, most AV vendors detect these samples as InfoStealer threats. While investigating payloads for the samples, we found evidence of data capturing and the following payloads:

• monitors incoming SMS and sets itself as high priority to interact with incoming SMS
• monitors incoming and outgoing phone calls, logging the incoming or outgoing numbers
• collects GPS location info
• sets ringer mode to mute or un-mute
• could take pictures using the device camera
• automatically accept incoming phone call in the following way: sets the ringer mute to silent, accept the phone call to hear audio or voices around the device user, and take picture

As an example of our AppRisk scanning feature, the following is snippet from the sandbox log for another of the Android samples (SHA1: b7b944c57164498193886b83f1f40842a6333e4a). In the snippet you can spot code that indicates the hacking tool uses AES encryption to communicate with a contacting host, probably an end-point used for surveillance and data collection of the affected device:

——————[ sandbox log ] ————————-
…
“recvnet”: {},
“servicestart”: {“150.12599992752075”: {“type”: “service”,”name”:
“com.android.contacts.calllog.CallLogNotificationsService”},
…
“sendsms”:{“150.12599992752075”:
{“message”: “TESTEST”,”tag”: [“TAINT_SMS”],
“type”: “sms”,”sink”: “SMS”,”number”: “1234”}},
“cryptousage”: {“150.12599992752075”: {“operation”:”keyalgo”,”type”: “crypto”,
“algorithm”: “AES”,”key”: “-51, -81, -2, -54, 98, -70,115,5,-116,65,…”}}, ”
sendnet “: {}, ”
accessedfiles “:
…
“opennet”: {“150.12599992752075”: {“desthost”:”8.8.8.8″,”fd”: “136”,”destport”: “7”}},
…
“closenet”: {},
“phonecalls”: {}
——————[ sandbox log ] ————————-

The SHA1 hash for some of the known Android samples are below.

0x59a86aa2679c4e9bc686d0df5f8cf5a1ee60983d
0x39ea19a0e82dd3eb441b31b25e7257cd23e7a20c
0xa2ce70e418b7d7ff908030f39466194e4689ab9c
0x74b80902bbe123cfd8fd6fb974aff0337adcbcf9
0x945c2f717d232be9890bb9d67cf0397e0aa551bb
0xf3a35f97c77ab8e51e0bd502b4e078365bb8921b
0x91dbddf3d443bdaff03c9b406a8f513bff8ac95b

All known Android samples are detected. We continue our research on the pile of samples and vulnerabilities, and will update future detection of this threat to our cloud.

NewSky Research Team